From 06d6f9ff58fc2e5789471cd39b18935c202b46b7 Mon Sep 17 00:00:00 2001
From: Gene Liverman <gene@technicalissues.us>
Date: Fri, 12 Apr 2024 08:52:23 -0400
Subject: [PATCH] Setup PsiTransfer as an oci-container

---
 .../nixos/nixnuc/containers/psitransfer.nix   | 32 +++++++++++++++++++
 modules/hosts/nixos/nixnuc/default.nix        |  2 ++
 modules/hosts/nixos/nixnuc/secrets.yaml       |  5 +--
 3 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100644 modules/hosts/nixos/nixnuc/containers/psitransfer.nix

diff --git a/modules/hosts/nixos/nixnuc/containers/psitransfer.nix b/modules/hosts/nixos/nixnuc/containers/psitransfer.nix
new file mode 100644
index 0000000..b8f6e55
--- /dev/null
+++ b/modules/hosts/nixos/nixnuc/containers/psitransfer.nix
@@ -0,0 +1,32 @@
+{ config, ... }: let
+  volume_base = "/orico/psitransfer";
+  http_port = "3000";
+  psitransfer_dot_env = "${config.sops.secrets.psitransfer_dot_env.path}";
+in {
+
+  #############################################################################
+  # My intent as of now is to only make this available to the outside world   #
+  # on an as-needed basis, maybe via Tailscale Funnel.                        #
+  # For example: $ tailscale funnel localhost:3000                            #
+  #############################################################################
+
+  sops.secrets.psitransfer_dot_env = {
+    sopsFile = ../secrets.yaml;
+    restartUnits = [
+      "podman-psitransfer.service"
+    ];
+  };
+
+  virtualisation.oci-containers.containers = {
+    "psitransfer" = {
+      autoStart = true;
+      image = "psitrax/psitransfer";
+      environmentFiles = [ psitransfer_dot_env ];
+      ports = [ "${http_port}:3000" ];
+      volumes = [
+        "${volume_base}/data:/data"
+      ];
+    };
+  };
+}
+
diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix
index 2381e5d..789dfed 100644
--- a/modules/hosts/nixos/nixnuc/default.nix
+++ b/modules/hosts/nixos/nixnuc/default.nix
@@ -2,6 +2,7 @@
   imports = [
     ./hardware-configuration.nix
     ./containers/audiobookshelf.nix
+    ./containers/psitransfer.nix
     ./containers/nginx-proxy.nix
     ../../../system/common/linux/restic.nix
   ];
@@ -51,6 +52,7 @@
     firewall.allowedTCPPorts = [
       22 # ssh
       80 # http to local Nginx
+      3000 # PsiTransfer in oci-container
       8080 # Tandoor in podman compose
       8090 # Wallabag in podman compose
       13378 # Audiobookshelf in oci-container
diff --git a/modules/hosts/nixos/nixnuc/secrets.yaml b/modules/hosts/nixos/nixnuc/secrets.yaml
index de8c622..6b5196f 100644
--- a/modules/hosts/nixos/nixnuc/secrets.yaml
+++ b/modules/hosts/nixos/nixnuc/secrets.yaml
@@ -1,6 +1,7 @@
 tailscale_key: ENC[AES256_GCM,data:aB3KUD4QYm+ZDrjjLcU3gQ8kneVGkVYBsrkVcioOhxunal2FekLDrpKxJwNXuiwx2M5vipnGAEPO,iv:e+tPPfVYkv4U0KRGwspWb1O3ZQom/WFFGm9H9cd/KKE=,tag:ZG5z1C18bj1L7DcGzunQ0w==,type:str]
 local_git_config: ENC[AES256_GCM,data:Nqwog5C4wnRzNoS4oqaYQ4J1DIj7fUL1y/nXESquR0N7KQ+ebhvuJnM=,iv:Q6o45LZStS3k8iO7s2P6u7OrKFu5alplshZuGgeRKmk=,tag:NcLJrI9AK4eDroODX15lcA==,type:str]
 local_private_env: ENC[AES256_GCM,data:qOPXTS2uo/1jyVEKCtBvuK/dzZaPf1K5tHuSVF2hBg4fdPYIsDPkM108cGVxJviebB3xVZejn/JVOdUDXQj6,iv:TtyMTOJXaPUrbSaAdtMaGPBlwLl/Y/IBYVCzhhiZozY=,tag:hUyVL8xk3w1iMwNAZw5QUw==,type:str]
+psitransfer_dot_env: ENC[AES256_GCM,data:bhvU0AOCjecZ62BtLw4H1DdkLeatI+uUl6L7UkdDRkBF3sayO45Z1eR4q60tflXucyTGhT8WgKFz53I+C2dn265wzojIRc3Xr4TBLyWpfJ7/dct40SckgUiRvOnrefiriWQ=,iv:DGMhDkzgeupzzTJnCdVWDPUSo2wxI3MAypKQwVfHExE=,tag:KbteGqrkqgj2XB1lvlk/yQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -16,8 +17,8 @@ sops:
             bHZlNTZDV2NYU1hQQy9mem80SFF6TFkKfmjkJBfTdh0vTtGaVx1t3tHJvSsAwdYD
             PF025X9U+yG2oIopwXEVBkxcD70eyuJn3OqH0xoVLBkbhNM9i8LHrA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-21T01:11:58Z"
-    mac: ENC[AES256_GCM,data:Yr41oSVmHr6UJ5H9tSTq5Cv5yZJH3Mfi7QQowJ6uu/L9WO4Ehjij3z7WGhsYk3EQvZjH0C2pcFKZY4ldaMLJNGN3pn0xmIvs3H4KIpVcmJLbPjUzRguCDV4ETSrBcB1z6IF1YPnCzUGmGWLkEePIZmeVvXMkBvKWITXzm9ApCHM=,iv:crQ9DBzq3btjrTZt+Pcch+evJszzVmokLM4pyRhGTo8=,tag:6GfDtzoCdFMw65VWL4CU/A==,type:str]
+    lastmodified: "2024-04-12T12:45:07Z"
+    mac: ENC[AES256_GCM,data:SdLYmMEPe3UilHiSifRvLYFd9gJR7KlmcaGtkKB5X+Xj94KMALsfrU0NsRmrlMr5XGYSwhBIaJrgz9RPFUu5VmG1Lli2K8D8QNyc/qSr7AHTWU9uBFfmFJEau0VyD6oFmi/nJPObwJlTfoUn5H7BU0jCFjNnsf1BYHXS8Qafh4Y=,iv:vEwboA3iz/6tHpWh5ZQhkok9ZAOGXf1WHI+6VrR4fnA=,tag:lfTIRhg99Vs57hFQE/n84g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1